In the space of just a decade, the Internet, because it provides access to information, and the ability to publish information, in revolutionary ways, has emerged from relative obscurity to international prominence. Whereas, in general, an internet is a network of networks, the Internet is a global collection of interconnected local, mid-level, and wide-area networks that use the Internet Protocol (IP) as the network layer protocol. Whereas the Internet embraces many local- and wide-area networks, a given local- or wide-area network may or may not form part of the Internet.
As the Internet and its underlying technologies have become increasingly familiar, attention has become focused on Internet security and computer network security in general. With unprecedented access to information has also come unprecedented opportunities to gain unauthorized access to data, change data, destroy data, make unauthorized use of computer resources, interfere with the intended use of computer resources, etc. These opportunities have been exploited time and time again.
Many techniques have been used to prevent and detect unwanted processes and the various related malicious functionality resulting therefrom. For example, signature-based identification may be used to detect a threat using an associated signature. Specifically, once malicious code is detected, a signature, or definition, may be created for use in detecting future threats resulting from the detected malicious code.
Unfortunately, it takes a predetermined amount of time for such signatures associated with new malicious code to be distributed for use. Further, the speed with which malicious code propagates has increased significantly from a matter of weeks to a matter of hours. To this end, signature-based malicious code identification leaves computers/networks vulnerable for a significant time period from the initial proliferation of the malicious code until the distribution of the associated signature.
To compensate for the aforementioned vulnerability, behavioral heuristics have been used, which employ heuristics that employ a context of malicious operations in order to detect malicious code. In other words, behavioral heuristic techniques do not attempt to identify the malicious code, itself per se, but rather identify various computer/network functionality that is likely indicative of new malicious code.
Unfortunately, however, behavioral heuristic-based techniques are subject to false positives (i.e., situations where the techniques indicate that malicious code exists, when, in fact, it does not). Such false positive conditions often arise when certain functionality that is deemed to be malicious is also performed for benign purposes.
There is thus a need for a technique that provides the real-time protection of behavioral heuristics, with the additional accuracy (and less false positives) that is traditionally provided by signature-based scanning. Further, there is a need for overcoming these and/or other problems associated with the prior art.